Links are so fundamental to web development that they're almost invisible. When we link to a third-party page, we hardly ever consider how it could become an opportunity to exploit our users. In this article, Julien Cretel introduces us to three techniques that bad actors can use to target our users and discusses how to avoid them.
With open source in our roots, we’re always excited about integrations with tools like OpenVAS, a popular open source vulnerability scanner that Greenbone Networks has maintained since 2009. If you’re not currently using OpenVAS, you can find the project here. OpenVAS contains more than 50,000 vulnerability tests with a community constantly updating its feed to adapt to the ever-evolving security landscape.
On July 14, 2020, Microsoft released a security update related to a remote code execution (RCE) and denial of service (DoS) vulnerability (CVE-2020-1350) in Windows DNS Server (2003 - 2019).
A new vulnerability, CVE-2020-8557, has been detected in kubelet. It can be exploited by writing into /etc/hosts to cause a denial of service. The source of the issue is that the /etc/hosts file mounted in a pod by kubelet is not included by the kubelet eviction manager, so it’s not taken into account when calculating ephemeral storage usage by a pod.
Today we are releasing Grafana 6.7.4 and 7.0.2. These patch releases include an important security fix for an issue that affects all Grafana versions from 3.0.1 to 7.0.1.
A security vulnerability (CVE-2020-8555) with a Medium severity has been reported that affects following versions of Kubernetes: Note, an attack using this vulnerability requires permission to create a pod or StorageClass and would typically only be granted to internal administrators or developers within an organization. It is possible to mitigate an attack by implementing policies using Gatekeeper and restricting StorageClass using Kubernetes access controls.
This CVE is a Server Side Request Forgery (SSRF) vulnerability in kube-controller-manager that allows certain authorized users to leak up to 500 bytes of arbitrary information from unprotected endpoints within the master’s host network (such as link-local or loopback services).
Face it. Your IT systems may be secure today, but what about next week? Granted, as stated by the Center for Internet Security (CIS), you and your team members must operate in a constant stream of new information—software updates, patches, security advisories, threat bulletins, and more. But as you know, attackers have access to the same information and can leverage gaps between the onset of new knowledge and remediation.
A vulnerability was recently discovered in CFEngine Mission Portal and has now been fixed. Under certain circumstances, it was possible to inject JavaScript code into data presented in Mission Portal, that would be run in the user’s browser. This security issue was fixed in CFEngine 3.10.7, 3.12.3, and 3.15.0, and will be mitigated by upgrading your hub to one of these versions (or later). No other action is required than upgrading the Hub.
